PS3 CPU Exploit Released by DarkHacker, METLDR Exploitation

Today a PlayStation 3 hacker known as DarkHacker has released a PS3 CPU Exploit which he states will lead developers closer to METLDR exploitation.

From his site (linked above): This is a release of the hidden Cell Exploit found a while ago and one of the step taken to the metldr exploit i'm going to release the because i fell people should have the right to do as they wish and the information should be free to the public.

i know by releasing this exploit i'll probably be taken to court or sued but fck sony they can go to hell all i care for what there doing to us hackers i'll fight until the last min i got of my life if i have to for the right of the people.

i know you all remember the exploit with ram and so on back in 3.15 well your going look for the 'CELL RESET LINE' and that going be where the exploit is you know how the small 60ms or ns i dont remember thing sent to ps3 for the read and write of the ram ?

well use line send that and connect it to the cell reset line. (FIND IT IN DOC) and ground on outside of case and the example of what can be done with this is a cold reset which still has acess to the memory from gameos - don't let this die out people i'm taking a big risk by giving you all this information.

- thanks to mitchy my personal hard drive - note i did not upload the documents and if requested i'll remove the links.

Example of what can be done with this -- untouched memory on cold boot full access to lv2 and all game os memory.

Below is some additional information from IRC, along with Mathieulhclaiming ownership of the PS3 CPU Exploit released by DarkHacker:

Mathieulh: Matt_P yeah it has nothing to do with an exploit, all it allows is dumping 1.10 to 3.15 lv2Mathieulh: using a coldboot and a small stubMathieulh: I gave this trick to darkhacker on msn months ago, looks like he leaked it for fame, I don't give a damn anyway, I am just pissed at lamers leaking stuffMathieulh: even useless stuffs like these Mathieulh: and of course you can't dump metldr or any loader for that matter using this trickMathieulh: it's not even an exploit, the reset line is actually used every time your ps3 resetsMathieulh: it's a featureMathieulh: you just abuse it of a sort along with otheros to dump lv2Mathieulh: since we can decrypt lv2 you don't really need to dump it anymore...Mathieulh: not to mention otheros is gone

"All this does is resets the cell processor to its initial state after bootup. It exploits a weakness in the security where RAM is not cleared on bootup.

In order to successfully complete this hack we would need to write to an area of memory that would be executed on startup. There are two ways to do this, we could either do it with hardware, or software. Doing it by hardware is out of the question as the RAM is encrypted, and we are not able to access the keys required to access it. The other way would be via software, as was done with geohot’s memory glitching explot which ran through otherOS.

Basically we need to execute our own code to write to memory, If we are capable of doing this in the first place, what is the need for this hack? There is none."

"Uhm, the thing is, you have to have access to that RAM, and you need OtherOS or another kernel that has access to that area of RAM. You also have to make sure nothing writes to that region, which will surely almost never happen. You also need enough luck to get the geohot dangling HTAB exploit working.

See, a hash page table, has the page table entries (PTEs) which provide Virtual Address to Physical Address (VA-to-PA or VA-to-RA), which is a mapping for virtual addresses such as 0×8000000000000001 to a physical address such as 0×40000000000. The dangling HTAB exploit is known to work in firmware 3.41 and 3.15. One needs to glitch the RAM bus when the page table write occurs, then create a new virtual page entry and hope it lies in that region you want.

Then, you can dump your data. This requires some good luck though, and some good button pressing skills! Also, this is very very very far from metldr. asecure_loader or metldr is decrypted inside the isolated SPU, or synergistic processing unit (/me shakes fist at Sony’s lawyers for calling it a “Stable Processing Unit”), which is not accessible by any other SPU or PowerPC unit. The only thing that has access to that SPU is the program inside the isolated SPU.

Also, I also don’t trust this guy because… he confused nanosecond RAM timing with millisecond RAM timing. There’s a huge difference! 1 millisecond is about 1 million nanoseconds.

Also, this is not the exploit Mathieulh tweeted about. This is far from it, it’s sort of like as far as the South Pole to the North Pole ."

hey i'm sorry to ask this, is their any one brave enough to show us how? and thank you so much for the files, i know who done this worked so hard thank you for all your hard work. how are we to ground the reset line with wire and solder or do i need to make a switch for it?